With increasing regulation and scrutiny placed on organisations and critically, individuals within them (such as the FCA’s SM&CR), there is obviously a growing fear within the boardroom of the potential financial and personal impact from a serious data breach.

Add to that the WHEN not IF mentality of potentially always being one step behind the hackers, a desire to limit or transfer exposure of damaging financial penalties is completely understandable. Whether it is legally, morally or commercially viable to insure yourself against a GDPR fine (or any other regulatory penalty for that matter) as a consequence of an organisation’s own “failures” is clearly a matter for some debate (answers on a postcard) and opinions vary between countries, states and regulators.

I’m glad to hear the ICO play a straight bat on this with a spokesperson for the regulator reported as saying it is “not an issue for the ICO”. GDPR regulations neither permit nor prohibit insurance cover against fines, but irrespective of this “a focus on insurance rather misses the point, and organisations should be looking to recognise the benefits of good information rights practice to their efficiency, reputation and competitive edge” they added.